Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. For the next few weeks, I’ll be taking the helm of The Cybersecurity 202. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
Google has been stepping up its efforts to protect political campaigns against phishing attacks — one of the most pressing threats facing candidates as hackers continue to target them via email.
U.S. political campaigns overwhelmingly use Google as their email provider, according to data collected by anti-phishing start-up Area1 Security. Of the 1,460 candidates the company is tracking who are running for the Senate, House of Representatives or governor, 65 percent use Google as their email provider.
The 2018 midterms will be the first test of the security measures Google and other tech companies have adopted since Russian hackers successfully spear phished Hillary Clinton campaign chair John Podesta. Hackers stole more than 50,000 of his emails after a click on a “change password” button on an email disguised as a security alert from Google.
“2016 was a watershed moment for a lot of people in the technical security space,” Guemmy Kim, Google's product manager for account security, tells me.
While so much of the discussion in Washington has focused on securing the midterms, November 6 is only the beginning. The stakes will only rise as more high-profile candidates take on President Trump -- especially given that intelligence agencies have concluded Russia sought to influence the last presidential election in his favor. Campaigns are feeling the pressure to be more secure. And as campaigns start setting up their infrastructure for 2020, technology companies must be prepared to meet their needs.
Google last year started offering increased email protections for high-risk email users such as campaign workers and journalists. The company is now working to raise awareness about this offering -- especially since many of these users may have their personal accounts tied to social media -- and to improve cybersecurity across its products.
Google's Advanced Protection Protection requires the high-risk individuals to use a physical security key to login, a process that could be cumbersome for everyday users but gives an added layer of security against phishing to people who need it. “I would say if in doubt, it never hurts to go to a higher form of security as long as you don’t lose your security key,” Kim said.
Google, which has become a widely ubiquitous email provider, plays an essential role in election integrity, not only because of the sensitive messages that campaigns may send. The service also could be a gateway for hackers to access other services linked to email, such as Facebook or Twitter. Most people sign up for these services using their email address, and those same addresses can be used to reset account credentials.
Washington lawmakers are increasingly eyeing the company's data practices as concerns grow about the elections. Lawmakers summoned the company’s top executives to the Hill for an election integrity hearing earlier this year. When the company declined to send a witness that the panel deemed sufficiently senior, lawmakers sought to shame Google with an empty chair. Amid continued criticism, Google's Chief Executive Sundar Pichai agreed to testify in Congress after the midterms.
And the company has come under fire recently for its security practices. Google said two weeks ago that it had a security vulnerability that imperiled the data of hundreds of thousands of Google customers. But reports that company officials chose not to reveal it partly due to concerns it would earn scrutiny from policymakers led some lawmakers to respond by calling for a Federal Trade Commission investigation and tougher privacy laws.
While Google has largely taken a “duck and cover” strategy, Microsoft — which makes email services such as Outlook and Hotmail — has touted its election integrity efforts. The company announced a “Defending Democracy Program” in April of this year, which includes special account safeguards for customers in the political space. The company said it would work directly with organizations using its special services for politicians to notify them of security issues and help them shore up their systems.
“By examining certain compromises or targeted campaigns against organizational email and personal accounts, we’re able to see larger patterns that are not apparent when accounts are examined in isolation,” said Tom Burt, Microsoft corporate vice president of safety and trust, in a recent blog post.
However, its email services are used by a much smaller percentage — 9.3 percent — of the U.S. candidates Area1 is tracking.
Meanwhile, cybersecurity providers are already diving in to assist with presidential campaign cybersecurity. Area1 is already working with potential presidential candidates, helping them address email security before their campaigns have even been formally announced. The company on Tuesday unveiled a new “pay-per-phish” pricing model for both campaigns and businesses, which will charge customers per attack it intercepts. Area1 Chief Executive Oren Falkowitz said this pricing model could help bring more security features to cash-strapped campaigns.
“Always in cybersecurity, the best time is to get in front of the attack, and not wait to clean it up afterwards,” Falkowitz said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “The United States Cyber Command is targeting individual Russian operatives to try to deter them from spreading disinformation to interfere in elections, telling them that American operatives have identified them and are tracking their work, according to officials briefed on the operation,” the New York Times's Julian E. Barnes reported Tuesday. “The campaign, which includes missions undertaken in recent days, is the first known overseas cyberoperation to protect American elections, including the November midterms.”
As the Times noted, it is unclear how Cyber Command is actually telling Russian operatives that the United States has identified them. “The Cyber Command operations appear relatively measured, especially in comparison with the increasingly elaborate and sophisticated efforts by Russia to use disinformation to sow dissent in the United States,” Barnes wrote. “But the American campaign undertaken in response to Russia’s information offensive is limited in large part to keep Moscow from escalating in response by taking down the power grid or conducting some other reprisal that could trigger a bigger clash between great powers. Compared with traditional armed conflict, the rules of cyberwarfare are not well defined.”
Additionally, Barnes reported that “Cyber Command has also sent teams to Ukraine, Macedonia and Montenegro to build up defenses against Russian hackers intent on penetrating government networks on its doorstep in Eastern Europe.”
PATCHED: “A high-profile Saudi investment conference that was due to begin this week experienced another setback Monday after its website appeared to be defaced by hackers critical of Saudi Crown Prince Mohammed bin Salman,” The Washington Post's Brian Fung reported. “The home page for the conference — which markets itself as ‘Davos in the Desert’ — was overtaken Monday and replaced with a message calling for Saudi officials to be held ‘responsible for its barbaric and inhuman action, such as killing its own citizen Jamal Khashoggi and thousands of innocent people in Yemen.’” Brian reported that the website was quickly taken offline — and was later restored.
Also on Monday, Reuters reported that Saud al-Qahtani, a top aide for the Crown Prince, ran the killing of journalist Khashoggi via Skype. “According to one high-ranking Arab source with access to intelligence and links to members of Saudi Arabia’s royal court, Qahtani was beamed into a room of the Saudi consulate via Skype,” Reuters reported. “He began to hurl insults at Khashoggi over the phone. According to the Arab and Turkish sources, Khashoggi answered Qahtani’s insults with his own.” The Post's Tamer El-Ghobashy, Kareem Fahim and Carol Morello reported that Qahtani “on Sunday changed his Twitter biography — reflecting his demotion from adviser to the Royal Court to the head of the Saudi Federation for Cybersecurity.”
PWNED: A Bloomberg Businessweek story that described a hardware-based hacking operation by China continues to face denials. Super Micro Computer disputed the content of the story in an Oct. 18 letter to its customers that was filed with the Securities and Exchange Commission, the Wall Street Journal's Allison Prang reported Monday. “We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong,” Super Micro said in the letter, as quoted by Prang. “From everything we know and have seen, no malicious hardware chip has been implanted during the manufacturing of our motherboards.” The company also said that it is launching a review even though there is no proof of a malicious implant, according to the Journal.
Moreover, Andy Jassy, who manages Amazon Web Services, said Monday that Bloomberg Businessweek ought to retract the story, which alleged that the Chinese operation had affected several companies including Amazon.com and Apple. “They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories,” Jassy said on Twitter. “Reporters got played or took liberties. Bloomberg should retract.” Jassy's comments followed a similar call for a retraction by Apple chief executive Tim Cook in an interview with BuzzFeed News last week. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract. https://t.co/RZzuUt9fBM— Andy Jassy (@ajassy) October 22, 2018
— National security adviser John Bolton said Monday that Russian interference did not affect the result of the past U.S. presidential election but created “distrust” of Russia, Reuters reported. “‘The point I made to Russian colleagues today was that I didn’t think, whatever they had done in terms of meddling in the 2016 election, that they had any effect on it, but what they have had an effect in the United States is to sow enormous distrust of Russia,’ Bolton told radio station Ekho Moskvy during his visit to Moscow, according to a transcript provided by the White House,” Reuters reported.
— The FBI is investigating cyberattacks that targeted the website of Bryan Caforio, who unsuccessfully ran for the Democratic nomination in California's 25th Congressional District this year, Rolling Stone's Andy Kroll reported Monday. Rolling Stone had reported last month that Caforio's website appeared to have been hit by distributed denial-of-service attacks during a five-week period. “It was unclear from the campaign’s data who launched the attacks,” Kroll wrote on Monday. “But in early October, a few weeks after Rolling Stone’s report, Caforio says an FBI special agent based in southern California contacted one of his former campaign staffers about the DDoS attacks. The FBI has since spoken with several people who worked on the campaign, requested forensic data in connection with the attacks and tasked several specialists with investigating what happened, according to a source close to the campaign.”
— “The Treasury Department is investigating the theft of nearly $700,000 from the D.C. government in July by scammers who successfully impersonated a city vendor and had the money wired to their bank account, city officials said,” The Post's Peter Jamison wrote Monday. A hacker contacted the D.C. government after creating a fraudulent email address to pose as a vendor, my colleague reported. “Using the email, the hacker asked that the city begin processing vendor payments through electronic transfer rather than checks,” Peter wrote. “The city then paid several outstanding invoices to the new account the hacker had specified.”
— If New Jersey's elections were to be hacked, security experts worry that it might be impossible to know whether vote counts were changed because virtually all electronic voting machines in the state are paperless, Susanne Cervenka of the Asbury Park Press reported Monday. “Critics have long been concerned about the vast majority of New Jersey's voting infrastructure,” Cervenka wrote. “Voters cast ballots at polling places on a system that records their selections on computer hardware. Most of these machines produce no individual paper ballots that can later be read and counted by a person.”
Warren County is the only county whose voting machines include a paper backup at the moment, and the town of Westfield in Union County will also start using new voting machines with a paper trail on Election Day, according to the Asbury Park Press. “The Brennan Center for Justice's Democracy Program sent letters to New Jersey and seven other states last month that use paperless voting machines as their main vote counters, urging them to move forward in the wake of a federal court ruling out of Georgia last month that indicated continuing to use the paperless machines could be interpreted as violating voters’ Constitutional rights,” Cervenka reported.
— More cybersecurity news from the public sector:
- Palo Alto Networks Federal Ignite 2018 conference in Washington.
Defining gender: What a narrow framework could mean for the transgender community.
Can Beto O’Rourke really beat Ted Cruz in Texas?
The five most competitive Senate races of 2018: